#!/bin/sh
#
# Pre-commit hook that verifies if all files containing 'vault: true' in it's modeline
# are encrypted.
# If not, commit will fail with an error message
#
# From an idea by Raphael Campardou (@ralovely)
# https://gist.github.com/ralovely/9367737
#
# Adapted for transparent encryption/decryption
#
# File should be .git/hooks/pre-commit and executable
#
# If you want enryption/decryption to be transparent, you must add `.vault_password_hooks` 
# in your .gitignore file so the hooks won't delete this file, and reuse it when needed.
#

# Tag to look for
CRYPT_TAG='^#.*mode:.*vault: true'

EXIT_STATUS=0
wipe="\033[1m\033[0m"
yellow='\033[1;33m'
red='\e[0;31m'
green='\e[0;32m'
# carriage return hack. Leave it on 2 lines.
cr='
'

for f in $(git diff --cached --name-only)
do
  # test for the presence of the required bit.
  MATCH=`head -n4 $f | grep --no-messages -- "$CRYPT_TAG"`
  if [ ! -z "$MATCH" ] ; then
    # Build the list of unencrypted files if any
    UNENCRYPTED_FILES="$f$cr$UNENCRYPTED_FILES"
    EXIT_STATUS=1
  fi
done
if [ ! $EXIT_STATUS = 0 ] ; then
  echo '# COMMIT POSTPONED'
  echo '# Looks like unencrypted ansible-vault files are part of the commit:'
  echo '#'
  while read -r line; do
    if [ -n "$line" ]; then
      echo -e "#\t${yellow}unencrypted:   $line${wipe}"
    fi
  done <<< "$UNENCRYPTED_FILES"
  echo '#'
  echo "# Encrypting these files now. Hit <Ctrl+C> to cancel'"
  echo "#"
  if [ ! -r '.vault_password_hooks' ]; then
    echo -n "# Enter vault password:" 
    exec < /dev/tty
    read -s password
    echo -en "\n# Confirm vault password:" 
    read -s password_confirm
    echo -e "\n#"
    if [ "x${password}" != "x${password_confirm}" ]; then
      echo -e "#\n# ${red}Error: passwords do not match !${wipe}"
      exit 1
    fi
    echo $password > .vault_password_hooks
  fi

  while read -r line; do
    if [ -n "$line" ]; then
      echo -ne "#\t${yellow}encrypting: $line${wipe} => "
      if ansible-vault encrypt ${line} --vault-password-file=.vault_password_hooks > /dev/null 2>&1; then
        echo -e " ${green}success${wipe}"
      else
        echo -e " ${red}error${wipe}"
        exit 1
      fi
    fi
  done <<< "$UNENCRYPTED_FILES"

  echo "#"
  echo "# Files encrypted"
  echo "#"

  if [ ! -r '.gitignore' ] || ! grep '^.vault_password_hooks$' .gitignore > /dev/null; then
    echo -e "# Removing temporary password file.\n# Add .vault_password_hooks to .gitgnore to make it persistent"
    rm .vault_password_hooks
  fi

  exit 0
fi
exit $EXIT_STATUS